From 37b29231e47a0c4458dc1c15d98588f16f07e1e2 Mon Sep 17 00:00:00 2001
From: Marius Cramer <m.cramer@pixcept.de>
Date: Thu, 06 Aug 2015 03:18:44 -0400
Subject: [PATCH] - don't set password via remoting if field is empty

---
 interface/lib/classes/session.inc.php |   49 ++++++++++++++++++++-----------------------------
 1 files changed, 20 insertions(+), 29 deletions(-)

diff --git a/interface/lib/classes/session.inc.php b/interface/lib/classes/session.inc.php
index 03fad95..bef2a10 100644
--- a/interface/lib/classes/session.inc.php
+++ b/interface/lib/classes/session.inc.php
@@ -33,6 +33,7 @@
 	private $session_array = array();
 	private $db;
 	private $timeout = 0;
+	private $permanent = false;
 
 	function __construct($session_timeout = 0) {
 		$this->db = new db;
@@ -43,6 +44,10 @@
 		$old_timeout = $this->timeout;
 		$this->timeout = $session_timeout;
 		return $old_timeout;
+	}
+	
+	function set_permanent($value = false) {
+		$this->permanent = $value;
 	}
 
 	function open ($save_path, $session_name) {
@@ -61,9 +66,9 @@
 	function read ($session_id) {
 		
 		if($this->timeout > 0) {
-			$rec = $this->db->queryOneRecord("SELECT * FROM sys_session WHERE session_id = '".$this->db->quote($session_id)."' AND last_updated >= DATE_SUB(NOW(), INTERVAL " . intval($this->timeout) . " MINUTE)");
+			$rec = $this->db->queryOneRecord("SELECT * FROM sys_session WHERE session_id = ? AND (`permanent` = 'y' OR last_updated >= DATE_SUB(NOW(), INTERVAL ? MINUTE))", $session_id, $this->timeout);
 		} else {
-			$rec = $this->db->queryOneRecord("SELECT * FROM sys_session WHERE session_id = '".$this->db->quote($session_id)."'");
+			$rec = $this->db->queryOneRecord("SELECT * FROM sys_session WHERE session_id = ?", $session_id);
 		}
 
 		if (is_array($rec)) {
@@ -82,27 +87,18 @@
 
 		// Dont write session_data to DB if session data has not been changed after reading it.
 		if(isset($this->session_array['session_data']) && $this->session_array['session_data'] != '' && $this->session_array['session_data'] == $session_data) {
-			$session_id   = $this->db->quote($session_id);
-			$last_updated = date('Y-m-d H:i:s');
-			$this->db->query("UPDATE sys_session SET last_updated = '$last_updated' WHERE session_id = '$session_id'");
+			$this->db->query("UPDATE sys_session SET last_updated = NOW() WHERE session_id = ?", $session_id);
 			return true;
 		}
 
 
 		if (@$this->session_array['session_id'] == '') {
-			$session_id   = $this->db->quote($session_id);
-			$date_created = date('Y-m-d H:i:s');
-			$last_updated = date('Y-m-d H:i:s');
-			$session_data = $this->db->quote($session_data);
-			$sql = "INSERT INTO sys_session (session_id,date_created,last_updated,session_data) VALUES ('$session_id','$date_created','$last_updated','$session_data')";
-			$this->db->query($sql);
+			$sql = "REPLACE INTO sys_session (session_id,date_created,last_updated,session_data,permanent) VALUES (?,NOW(),NOW(),'$session_data',?)";
+			$this->db->query($sql, $session_id, ($this->permanent ? 'y' : 'n'));
 
 		} else {
-			$session_id   = $this->db->quote($session_id);
-			$last_updated = date('Y-m-d H:i:s');
-			$session_data = $this->db->quote($session_data);
-			$sql = "UPDATE sys_session SET last_updated = '$last_updated', session_data = '$session_data' WHERE session_id = '$session_id'";
-			$this->db->query($sql);
+			$sql = "UPDATE sys_session SET last_updated = NOW(), session_data = ?" . ($this->permanent ? ", `permanent` = 'y'" : "") . " WHERE session_id = ?";
+			$this->db->query($sql, $session_data, $session_id);
 
 		}
 
@@ -111,25 +107,20 @@
 
 	function destroy ($session_id) {
 
-		$session_id   = $this->db->quote($session_id);
-		$sql = "DELETE FROM sys_session WHERE session_id = '$session_id'";
-		$this->db->query($sql);
+		$sql = "DELETE FROM sys_session WHERE session_id = ?";
+		$this->db->query($sql, $session_id);
 
 		return true;
 	}
 
 	function gc ($max_lifetime) {
 
-		/*if($this->timeout > 0) {
-			$this->db->query("DELETE FROM sys_session WHERE last_updated < DATE_SUB(NOW(), INTERVAL " . intval($this->timeout) . " MINUTE)");
-		} else {*/
-			$real_now = date('Y-m-d H:i:s');
-			$dt1 = strtotime("$real_now -$max_lifetime seconds");
-			$dt2 = date('Y-m-d H:i:s', $dt1);
-
-			$sql = "DELETE FROM sys_session WHERE last_updated < '$dt2'";
-			$this->db->query($sql);
-		//}
+		$sql = "DELETE FROM sys_session WHERE last_updated < DATE_SUB(NOW(), INTERVAL ? SECOND) AND `permanent` != 'y'";
+		$this->db->query($sql, intval($max_lifetime));
+			
+		/* delete very old even if they are permanent */
+		$sql = "DELETE FROM sys_session WHERE last_updated < DATE_SUB(NOW(), INTERVAL 1 YEAR)";
+		$this->db->query($sql);
 
 		return true;
 

--
Gitblit v1.9.1